Privacy Policy
Last updated: 27 February 2025
1. Who we are
ReadmeBot is an AI-powered README generation service. For any data protection queries, you can contact us at privacy@readmebot.ai.
2. What data we collect
We collect and process the following personal data under the UK General Data Protection Regulation (UK GDPR):
| Data type | Purpose | Lawful basis (Art. 6(1)) | Retention |
|---|---|---|---|
| GitHub profile (name, email, username) | Account creation & authentication | Contract | Account lifetime |
| GitHub OAuth tokens (encrypted) | Repository access | Contract | Deleted on account deletion |
| Repository content (sent to Anthropic) | README generation | Contract | Not stored after generation |
| IP addresses | Rate limiting & abuse prevention | Legitimate interests | 90 days |
| Payment data (via Stripe) | Billing & subscription management | Contract | 6 years (HMRC requirement) |
| Analytics (PostHog, cookieless EU) | Service improvement | Legitimate interests | 26 months |
| Email logs (Resend) | Freshness notification delivery | Contract | 2 years |
| Generated README content | Generation history & re-download | Contract | Account lifetime (user can delete individually) |
3. How we use your data
- Delivering the README generation service
- Processing payments and managing subscriptions
- Preventing abuse and enforcing rate limits
- Sending transactional emails (e.g. freshness alerts)
- Improving the service through anonymous, aggregated analytics
4. Third-party processors
We share personal data with the following processors, each under appropriate data processing agreements:
- Anthropic — repository content for AI processing (Privacy Policy)
- GitHub — OAuth authentication and repository access (Privacy Statement)
- Stripe — payment processing (Privacy Policy)
- PostHog — product analytics, EU-hosted, cookieless (Privacy Policy)
- Resend — transactional email delivery (Privacy Policy)
- Vercel — hosting and edge functions (Privacy Policy)
- Supabase — database hosting (Privacy Policy)
5. International data transfers
Some of our processors are based in the United States. These transfers are safeguarded by the UK Extension to the EU-US Data Privacy Framework and, where applicable, International Data Transfer Agreements (IDTAs) in accordance with UK GDPR requirements.
6. Cookies & tracking
- Essential session cookies — used by NextAuth for authentication. These are strictly necessary and do not require consent.
- Cookieless analytics — PostHog is configured with
persistence: "memory", meaning no tracking cookies are set on your device. - We do not use any third-party tracking cookies or advertising pixels.
7. Your rights
Under UK GDPR (Articles 15–22), you have the right to:
- Access — request a copy of your personal data (available via Settings > Account > Export your data)
- Rectification — ask us to correct inaccurate data
- Erasure — request deletion of your account and data (available via Settings > Account > Delete account)
- Restriction — ask us to limit processing of your data
- Portability — receive your data in a structured, machine-readable format (JSON export)
- Objection — object to processing based on legitimate interests
- Automated decision-making — we do not make automated decisions with legal or significant effects
If you are unsatisfied with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
8. Data retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion |
| OAuth tokens | Until account deletion |
| Repository content | Not stored (processed in memory) |
| IP addresses | 90 days |
| Payment records | 6 years (HMRC) |
| Analytics data | 26 months |
| Email logs | 2 years |
| Generated READMEs | Until account deletion |
9. Email communications
- Transactional emails (e.g. account confirmations) are sent under our contractual basis and cannot be opted out of while you hold an account.
- Freshness alert emails are sent under the PECR soft opt-in for similar products. You can opt out at any time via the unsubscribe link in every email or in your account Settings. Each email clearly identifies ReadmeBot as the sender.
10. AI and your data
- Repository content is sent to Anthropic's API for README generation. Per Anthropic's API terms, data sent via the API is not used for model training.
- Repository content is processed in memory and is not stored by ReadmeBot after generation is complete.
- We do not engage in automated decision-making that produces legal or similarly significant effects on you.
11. Children
ReadmeBot is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.
12. Changes to this policy
We may update this privacy policy from time to time. If we make material changes, we will notify you by email or by placing a prominent notice on the service. The “Last updated” date at the top of this page indicates when this policy was last revised.
13. Contact us
For any data protection requests (access, erasure, rectification, etc.), please email privacy@readmebot.ai. We will respond within one month of receiving your request, as required by UK GDPR.